Authentication Services Security (Windows Embedded CE 6.0)
1/6/2010
The following security support providers are supported:
- For Windows Embedded CE, Kerberos Security Support Provider
- NTLM Security Support Provider
- Schannel Security Support Provider
- Negotiate Security Support Provider
It is important always to use secure coding techniques while you work with the authentication services functionality.
Best Practices
Use mutual authentication
Use Kerberos security support provider (SSP) to provide mutual authentication between entities. Kerberos allows the server to verify client identity and allows the client to verify the server identity. Note that NTLM SSP does not provide mutual authentication.
Avoid storing user credentials on the device
Operating system developers can prevent users from saving passwords on the device through the Credential Manager. You can set the registry value DisallowSavedNetworkPasswords to 1. This helps to prevent hackers from extracting the network credentials from the device in case the device is stolen. For more information, see Authentication Services Registry Settings.
Avoid using plaintext passwords
Plaintext password credentials are used when Credential Manager caches the actual password. Plaintext passwords are major security risks and should be avoided whenever possible.
Use smart cards to store credentials
You can add a layer of security by storing authentication information on a smart card instead of on the device. This prevents hackers from extracting the network credentials from the device in case the device is stolen.
Use pass-through authentication
If a domain controller is available, use pass-through authentication instead of using the local database of user names and passwords. This practice avoids storing the user names and passwords on the device. Windows Embedded CE Web server, Redirector, and Distributed COM components can use pass-through authentication.
Use a strong authentication protocol
When using NTLM SSP, you can specify the authentication protocols for the client and the server separately. To prevent NTLM SSP from using the weaker authentication protocol, set the LmCompatibilityLevelClient value in the registry to 3. This specifies that the client will only use NTLM v2 for authentication. However, authentication will fail if the server is not capable of NTLM v2 protocol. You can also set the LmCompatibilityLevelServer value to 2 or to 3. Both of these specify that the server will only use NTLM v2. Authentication will fail if the client is not capable of NTLM v2 protocol. For more information, see Authentication Services Registry Settings.
NTLM v2 authentication protocol is only available in Windows CE .NET 4.1 and later. Servers running Microsoft Windows 2000 and later support NTLM v2.
Call AcquireCredentialsHandle only once
When using any SSP, call the AcquireCredentialsHandle only one time and use the cached credential handled to re-authenticate. This way, the user does not have to re-enter the credentials.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For registry information, see Authentication Services Registry Settings.
Ports
No specific ports are used for authentication services.